Adversaries may delete or alter generated artifacts on a host system, including logs and potentially captured files such as quarantined malware. Locations and format of logs will vary, but typical organic system logs are captured as Windows events or Linux/macOS files such as [Bash History](https://attack.mitre.org/techniques/T1139) and /var/log/* .Actions that interfere with eventing and other notifications that can be used to detect intrusion activity may compromise the integrity of security solutions, causing events to go unreported. They may also make forensic analysis and incident response more difficult due to lack of sufficient data to determine what occurred.
Windows event logs are a record of a computer's alerts and notifications. Microsoft defines an event as "any significant occurrence in the system or in a program that requires users to be notified or an entry added to a log." There are three system-defined sources of Events: System, Application, and Security.
Adversaries performing actions related to account management, account logon and directory service access, etc. may choose to clear the events in order to hide their activities.
The event logs can be cleared with the following utility commands:
wevtutil cl systemwevtutil cl applicationwevtutil cl securityLogs may also be cleared through other mechanisms, such as PowerShell.
Upon execution this test will clear Windows Event Logs. Open the System.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| log_name | Windows Log Name, ex System | String | System |
wevtutil cl #{log_name}Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume. Upon exectuion, no output will be displayed. More information about fsutil can be found at https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
Supported Platforms: Windows
fsutil usn deletejournal /D C:fsutil usn createjournal m=1000 a=100 c:Delete system and audit logs
Supported Platforms: macOS, Linux
rm -rf /private/var/log/system.log*
rm -rf /private/var/audit/*This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
Supported Platforms: Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| username | Username of mail spool | String | root |
echo 0> /var/spool/mail/#{username}This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
Supported Platforms: Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| log_path | Path of specified log | Path | /var/log/secure |
echo 0> #{log_path}Recommended Detection: Monitor for use of the windows event log filepath in PowerShell couple with delete arguments. Upon execution, open the Security.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty or has very few logs in it. When this service get's stopped, it is automatically restarted and the Security.evtx folder re-created.
Supported Platforms: Windows
$eventLogId = Get-WmiObject -Class Win32_Service -Filter "Name LIKE 'EventLog'" | Select-Object -ExpandProperty ProcessId
Stop-Process -Id $eventLogId -Force
Remove-Item C:\Windows\System32\winevt\Logs\Security.evtxStart-Service -Name EventLogClear event logs using built-in PowerShell commands. Upon execution, open the Security.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty or has very few logs in it.
Supported Platforms: Windows
Clear-EventLog -logname Application